EUVD-2026-12142
GHSA-44vg-5wv2-h2hg
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Tags
Description
### Impact If the objects passed in as `names` to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. Examples (found by @ByamB4): Any module where non-underscore attribute chains reach os or sys: - os.path, pathlib, shutil, glob (direct .os / .sys attributes) - statistics (has .sys) - numpy (has .ctypeslib.os and .f2py.sys) - urllib.parse (has .warnings.sys) ### Patches The latest version 1.0.5 has this issue fixed. ### Workarounds Don't pass in objects or modules which have direct attributes to potentially dangerous items. Use a wrapper to wrap the potentially vulnerable items (See the ModuleWrapper in version 1.0.5)
Analysis
Code injection in SimpleEval when objects with dangerous attrs are passed. PoC available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and dependencies using SimpleEval and assess whether untrusted input is evaluated. Within 7 days: Upgrade SimpleEval to version 1.0.5 or later where available, or implement compensating controls if upgrade is blocked. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today